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AMENDMENTS TO THE CLAIMS: 

This listing of the claims will replace all prior versions, and listings, of the claims in this 
application. 

Listing of Claims; 

1 . (Currently Amended) A gateway for connecting an extemal portion of a network to an 
intemal secured portion of the network wherein the gateway is arranged to identify automatically 
when a communication session exists between two mobile workstations both of which are 
connected in the extemal portion of the networ k bv detecting a packet sent from one of the two 
mobile workstations to the other one of the two mobile workstations, said gateway further 
configured to inform a virtual network connectivity manager of the detected communication 
session between the two mobile workstations so as to enable said virtual network connectivity 
manager to send first security information to the first mobile workstation and second security 
information to the second mobile workstation using a secure communication, where the first 
mobile workstation uses the first security information and the second mobile workstation uses 
the second security information to enable a second secure communication bv which further 
in formation is transferable securely between the first mobile workstation and the second mobile 
workstation without passing through the intemal secured portion of the network . 

2. (Original) A gateway as claimed in claim 1 , having means for monitoring the source and 
destination of received packets. 

3. (Original) A gateway as claimed in claim 1 having secure communication means by 
which information is transferable securely to the two mobile workstations separately. 

4. (Original) A gateway as claimed in claim 3 wherein the secure communication means 
includes a first Security Association with a first mobile workstation and a second Security 
Association with a second mobile workstation. 
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5. (Previously Presented) A gateway as claimed in claim 3 , wherein the gateway is arranged 
to send, using the secure communication means, an identifier of a second mobile workstation to 
a first mobile workstation for use as an address in a packet originating fi"om the first mobile 
workstation and destined for the second mobile workstation 

6. (Original) A gateway as claimed in claim 5 wherein the identifier of the second mobile 
workstation is a Home Address. 

7. (Previously Presented) A gateway as claimed in claim 3 , wherein the gateway is arranged 
to send, using the secure communication means, an identifier of the first mobile workstation to 
the second mobile workstation for use as an address in a packet originating fi-om the second 
mobile workstation and destined for the first mobile workstation. 

8. (Original) A gateway as claimed in claim 7 wherein the identifier of the first mobile 
workstation is a Home Address. 

9. Cancelled. 

10. (Currently Amended) A gateway as claimed in claim [[9]] 1, wherein the second secure 
communication means comprises Security Associations. 

1 1 . (Previously Presented) A gateway as claimed in claim 1 wherein the gateway is further 
arranged to identify automatically when a mobile workstation moves between the internal and 
the external portions of the network. 

12. (Currently Amended) A network including an internal secured portion which connects, 
via a gateway to an external portion, the network comprising a plurality of workstations including 
mobile workstations; the gateway and secure conrmiunication means by which information is 
transferable securely to a first mobile workstation in the external portion of the network via the 
gateway and by which information is transferable securely to a second mobile workstation in the 
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external portion of the network via the gateway; and infonnation transfer means located within 
t he internal s e cured portion of the network o r wi t hin the ga t eway and a rr anged to send, using the 
s e cure conununication means, an iden t ifier of the second mobile works t a t ion to t h e first mobile 
worksta t ion fo r use as an address in a packet originating from t he firs t mobile wo r ks t ation and 
destin e d for the second mobile workstatio n , and a virtual network connectivity manager 
configured to send first security information to the first mobile workstation and second security 
information to the second mobile workstation using a secure communication, where the first 
mobile workstation uses the first security information and the second mobile workstation uses 
the second security information to enable a second secure communication bv which fixrther 
information is transferable securely between the first mobile workstation and the second mobile 
workstation without passing through the internal secured portion of the network . 

1 3 . (Currently Amended) A network as claimed in claim 1 2, wh e r e in t he information t r ansfe r 
means is further arranged to send, using the secure communication means, an identifier of the 
first mobile workstation to the second mobile workstation for use as an address in a packet 

originating from the second mobile workstation and destined for the first mobile workstatio n, and 
an identifier of the second mobile workstation to the first mobile workstation for use as an 
address in a packet originating firom the first mobile workstation and destined for the second 
mobile workstation . 

14. (Previously Presented) A network as claimed in claim 12 wherein the identifier of a 
mobile workstation is a Home Address of the mobile workstation. 

15. (Previously Presented) A network as claimed in claim 12 wherein the secure 
communication means provides an encrypted communications channel to the first mobile 
workstation and an encrypted communications channel to the second mobile workstation. 

16. (Previously Presented) A network as claimed in claim 12 wherein the secure 
communication means comprises a first Security Association and a second Secxirity Association. 



4 



S.N.: 10/531,653 
Art Unit: 2431 

1 7. (Previously Presented) A network as claimed in claim 1 2 wherein the gateway is arranged 
to detect a communications session between two mobile workstations which are connected at the 
external portion of the network. 

18. (Previously Presented) A network as claimed in claim 12 further comprising: 

means for dynamically updating an identifier of the first mobile workstation as it moves 
within the external portion of the network; 

means for communicating the updated identifier of the first mobile workstation to the 
second mobile workstation; and 

means for sending packets firom the second mobile workstation to the first mobile 
workstation using the second secure conmixmication means, wherein the packets are addressed 
using the updated identifier of the first mobile workstation. 

19. (Original) A network as claimed in claim 18 wherein the updated identifier is a 
Care-of-Address. 

20. (Previously Presented) A network as claimed in claim 1 2 wherein the network is arranged 
to use private addresses to communicate within the internal portion of the network and the 
identifier of the second workstation is a public address. 

21. (Currently Amended) A method of securely routing communications between a first 
mobile node and a second mobile node of a network including an intemal secured portion which 
connects, via a gateway to an external portion, comprising the steps of: 

maintaining a secure communication means by which information is transferable securely 
to a first mobile node in the external portion of the network via the gateway and by which 
information is transferable securely to a second mobile node in the external portion of the 
network via the gateway; 

sending firom a virtual network connectivity manager first securitv information to the first 
mobile node and second security information to the second mobile node using the secure 
communication means, where the first mobile node uses the first security information and the 
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second mobile node uses the second security information to transfer information securely 
between the first mobile node and the second mobile node without the information passing 
through the internal secured portion of the network 

sending an identifier of t he second mobile node t o the firs t mobile node using t h e secure 
communication means; and 

addressing a pack e t sent fi ' om th e firs t mobil e node t o t he second mobile node using the 

identifier of the second mobile node and routing t h e packet, using the identifie r of the second 
mobile node, from th e first mobile node t o th e second mobile node, not necessarily via the 
gateway . 

22. (Currently Amended) A method as claimed in claim 21 further comprising the steps of: 
sending an identifier of the first mobile node to the second mobile node using the secure 

communication means and sending an identifier of the second mobile node to the first mobile 
node using the secure communication means: and 

addressing a packet sent from the first mobile node to the second mobile node using the 
identifier of the second mobile node and routing the packet, using the identifier of the second 
mobile node: and addressing a packet sent fi-om the second mobile node to the first mobile node 
using the identifier of the first mobile node and routing the packet from the second mobile node 
to the first mobile nod e, not necessarily via t he gateway . 

23. (Currently Amended) A mobile workstation for connecting to an external portion of a 
network that includes an internal secured portion connected, via a gateway to the external 
portion, comprising: 

means for using a secure communication means by which information is transferable 
securely fi*om the internal portion of the network to the mobile workstation via the gateway; 

means arranged to receive, via the first secure communication means, an identifier of 
another mobile workstation also connected to the external portion of the network; and 

means for including the identifier of the other mobile workstation as an address in a 
packet for transmission to the other mobile workstation^ 

said receiving means arranged to receive, from a virtual network connectivity manager. 
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first security information using said secure communication means bv which further information 
is transferable securely between the mobile workstation and the another mobile workstation 
without passing through the internal secured portion of the network . 

24. (Currently Amended) A virtual private network including an internal secured portion 
which connects, via a gateway to an external portion, the network being arranged to communicate 
within the internal portion of the network using private addresses and comprising: 

a plurality of workstations including mobile workstations; 
the gateway; 

first secure communication means by which information is transferable securely to a first 
mobile workstation connected at the external portion of the network via the gateway and by 
which information is transferable securely to a second mobile workstation connected at the 
extemal portion of the network via the gateway; and 

virtual network connectivity manager means for sending first security information to the 
first mobile workstation and second security information to the second mobile workstation using 
the first secure communication means, where the first mobile workstation uses the first security 
information and the second mobile workstation uses the second security information to enable 
a second secure communication means by which fiirther information is transferable securely 
between the first mobile workstation and the second mobile workstation without passing through 
the internal secured portion of the network 

information t ransfer means a r ranged to send firs t secu r ity information t o t he first mobile 
works t a t i o n and second securi t y information to t he s e cond mobile workstation using t he first 
s e cur e communication means, wherein the first mobile worksta t ion uses the first securi t y 
informa t ion and th e second mobile wo r ksta t ion uses the second securi t y information t o e nable 
a second secure communica t ion means by which fur t her informa t ion is transferable securely 
be t ween the first mobile worksta t ion and the second mobile works t ation withou t passing tlu - ougli 
the gateway . 

25. (Original) A virtual private network as claimed in claim 24, wherein the fiirther 
information is transferable in packets using public addresses. 
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26. (Previously Presented) A network as claimed in claim 24, wherein the first secure 
communication means provides an encrypted communications channel to the first mobile 
workstation and an encrypted communications channel to the second mobile workstation. 

27. (Previously Presented) A network as claimed in claim 24, wherein the first secure 
communication means comprises a first Security Association and a second Security Association. 

28. (Currently Amended) A network as claimed in any one of claim 27, wherein the first 
Security Association is fi"om the gateway to the first mobile workstation and the second Security 
Association is fi"om the gateway to the second mobile workstation. 

29. (Original) A network as claimed in claim 28 wherein the first Security Association is 
fi-om the intemal portion of the network to the first mobile workstation and the second Security 
Association is firom the intemal portion of the network to the second mobile workstation. 

30. (Previously Presented) A network as claimed in claim 27, wherein communications using 
the first and second Security Associations use addresses which are private. 

3 1 . (Previously Presented) A network as claimed in claim 24, wherein the second secure 
communication means provides encrypted commxmications channels between the first and second 
mobile workstations. 

32. (Original) A network as claimed in claim 31 wherein the first and second security 
information define the encryption/decryption of the encrypted communications channels. 

33. (Previously Presented) A network as claimed in claim 24 wherein the second secure 
communication means comprises at least a third Security Association firom the first mobile 
workstation to the second mobile workstation. 

34. (Original) A network as claimed in claim 33 wherein first and second security 
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information defines at least the third Security Association. 

35. (Previously Presented) A network as claimed in claim 24, wherein at least a portion of 
the first security information and at least a portion of the second security information are created 
within the internal portion of the network. 

36. (Previously Presented) A network as claimed in claim 24, wherein the gateway is 
arranged to detect a communications session between two mobile workstations which are 
connected at the external portion of the network. 

37. (Previously Presented) A network as claimed in claim 24, wherein the second secure 
communication means is enabled by the adaptation of databases in the first and second mobile 
workstations. 

38. (Previously Presented) A network as claimed in claim 24, further comprising: 
information transfer means arranged to send, using the first secure communication means, an 
identifier of the second mobile workstation to the first mobile workstation for use as an address 
in a packet originating firom the first mobile workstation and destined for the second mobile 
workstation. 

39. (Original) A network as claimed in claim 38 wherein the identifier of the second mobile 
workstation is a Home Address. 

40. (Previously Presented) A network as claimed in claim 38, wherein the identifier of the 
second mobile workstation is a public address. 

41 . (Previously Presented) A network as claimed in claim 24 further comprising: 

means for dynamically updating an identifier of the first mobile workstation as it moves 
within the extemal portion of the network; 

means for communicating the updated identifier of the first mobile workstation to the 
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second mobile workstation; and 

means for sending packets from the second mobile workstation to the first mobile 
workstation using the second secure communication means, wherein the packets are addressed 
using the updated identifier of the first mobile workstation. 

42. (Original) A network as claimed in claim 41 wherein the updated identifier is a 
Care-of- Address. 

43 . (Currently Amended) A method of securing communications between a first mobile node 
and a second mobile node of a virtual private network including an intemal secured portion 
which connects, via a gateway to an external portion, comprising the steps of: 

communicating within the intemal portion of the network using private addresses; 

maintaining a first secure communication means by which information is transferable 
securely to the first mobile node in the external portion of the network via the gateway and by 
which information is transferable securely to a second mobile node in the external portion of the 
network via the gateway; 

sending first security information to the first mobile node using the first secure 
communication means; 

sending second security information to the second mobile node using the first secure 
communication means; 

creating a second secure communication means in the first mobile node, using the first 
security information in the first mobile node and the second security information in the second 
mobile node; and 

using the second secure communication means, and not the first secure communication 
means, for transferring further information between the first and second mobile nodes while they 
both remain in the extemal portion of the networ k, where 

the gatewav is arranged to identify automaticallv when a communication session exists 
between the two mobile nodes bv detecting a packet sent from one of the two mobile nodes to 
the other one of the two mobile nodes, and where a virtual network connectivitv manager means 
is configured to send the first security information to the first mobile node and the second 
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security information to the second mobile node using the first secure communication means, 
where the further information is transferable securely between the first mobile node and the 
second mobile node without passing through the internal secured portion of the network . 

44. (Currently Amended) A mobile workstation for connecting to a yirtual priyate network 
that includes an internal secured portion connected, via a gateway to the external portion, and for 
communicating while in the internal portion using packet addresses which are private to the 
network, the mobile workstation comprising: 

means for using a first secure communication means by which packets addressed to the 
private address of the mobile workstation are transferable securely fi-om the intemal portion of 
the network to the mobile workstation via the gateway; 

means arranged to receive, via the first secure communication means, first security 
information for enabling a second secure communication means; and 

means for using the enabled second secure communication means to securely receive 
further packets, addressed to a public address of the mobile workstation, fi-om another mobile 
workstation also in the external portion of the network^^ 

said receiving means arranged to receive, fi-om a virtual network connectivity manager, 
the first security information using said first secure communication means by which the fixrther 
packets are transferable securely between the mobile workstation and the another mobile 
workstation without passing through the intemal secured portion of the network . 

45 . (Original) A mobile workstation as claimed in claim 44 fiirther comprising a database and 
means for modifying the database in response to the received first security information. 

46. (Original) A mobile workstation as claimed in claim 45 wherein the database includes 
a Security Association Database (SAD) which is modified to include anew Security Association. 

47. (Original) A mobile workstation as claimed in claim 46 wherein the database includes 
a Security Policy database which is modified so that packets for the other mobile workstation use 
the new Security Association. 
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48. (Currently Amended) A virtual private network including an internal secured portion 
which connects, via a gateway to an external portion, the network being arranged to communicate 
within the intemal portion of the network using private addresses and comprising: 

a plurality of workstations including mobile workstations; 
the gateway; 

secure communication means by which information is transferable securely, without 
passing through the gateway, between a first mobile workstation connected to the external 
portion of the network and a second mobile workstation connected to the extemal portion of the 
network; 

means for dynamically updating an identifier of the first mobile workstation as it moves 
within the extemal portion of the network; 

means for communicating the updated identifier of the first mobile workstation to the 
second mobile workstation; and 

means for sending packets fi-om the second mobile workstation to the first mobile 
workstation using the secure communication means, wherein the packets are addressed using the 
updated identifier of the first mobile workstatio n, where 

the gatewav is arranged to identify automatically when a communication session exists between 
the first and second mobile workstations bv detecting a packet sent fi-om one of the two mobile 
workstations to the other one of the two mobile workstations, and where a virtual network 
connectivity manager means is configured to securely send securitv information to the first 
mobile workstation and to the second mobile workstation, and where packets are transferable 
securely between the first mobile workstation and the second mobile workstation through said 
secure communication means without passing through the intemal secured portion of the network 
and are rou t ed wi t hout necessarily passing tlirougli the gateway . 

49. (Original) A network as claimed in claim 48 wherein the updated identifier is a 
Care-of-Address. 

50. (Previously Presented) A network as claimed in claim 48 wherein the secure 
communication means provides encrypted communications channels between the first and second 
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mobile workstations. 

51. (Previously Presented) A network as claimed in claim 48 wherein the secure 
communication means comprises a Security Association from the first mobile workstation to the 
second mobile workstation and a Security Association from the second mobile workstation to 
the first mobile workstation. 

52. (Previously Presented) A network as claimed in claim 48 wherein the secure 
conmiunication means is enabled by databases in the first and second mobile workstations. 

53. (Currently Amended) A method of optimising optimizing the routing of secure 
communications between a first mobile node and a second mobile node of a network including 
an intemal secured portion which connects, via a gateway to an extemal portion, comprising the 
steps of: 

communicating within the intemal portion of the network using private addresses; 

creating a secure communication means by which information is transferable securely, 
without passing through the gateway, between a first mobile node of the extemal portion of the 
network and a second mobile node of the extemal portion of the network; 

moving the first mobile node within the extemal portion of the network; 

modifying an identifier of the first mobile node in response to its movement; 

communicating the modified identifier of the first mobile node to the second mobile 
node; and 

sending a packet from the second mobile node for reception by the first mobile node, 
withou t necessarily passing via the ga t eway, after addressing it using the updated identifier of the 
first mobile and securing it using the secure communication means , where 

the gateway is arranged to identify automaticallv when a communication session exists 
between the first and second mobile nodes bv detecting a packet sent from one of the two mobile 
nodes to the other one of the two mobile nodes, and where a virtual network connectivitv 
manager is configured to securelv send securitv information to the first mobile node and to the 
second mobile node, and where the packet is sent securelv from the second mobile node for 
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reception bv the first mobile node using said secure communication means without passing 
through the internal secured portion of the network . 

54. (Currently Amended) A mobile workstation for connecting to an extemal portion of a 
network that includes an internal secured portion connected, via a gateway to the extemal 
portion, comprising: 

means for communicating using private addresses when in the internal portion of the 
network; 

means for enabling and using a secure communication means by which information is 
transferable securely fi-om the mobile workstation, when in the extemal portion of the network, 
to another mobile workstation connected to the extemal portion of the network without passing 
through the gateway; 

means for receiving an identifier of the other mobile workstation; and 

means for sending packets, when in the extemal portion of the network, to the other 
mobile workstation using the secure communication means and the received identifie r, where 

said receiving means is arranged to securely receive, fi-om a virtual network connectivity 
manager, the identifier such that the packets are sent securely between the mobile workstations 
without passing through the internal secured portion of the network . 

55. (Original) A mobile workstation as claimed in claim 54 wherein the identifier is a public 
address. 

56. (Original) A mobile workstation as claimed in claim 55 wherein the identifier is a Home 
Address or a Care-of-Address. 
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